Share with Email

LinkedIn Reaches Deal in Privacy Litigation

A security breach that opened more than 6 million passwords to online viewing and spawned a putative class action will cost LinkedIn Corp. $1.25 million to settle.

The preliminary agreement was reached August 15 in In Re: LinkedIn User Privacy Litigation, a consolidated action through which plaintiffs alleged the professional networking site misrepresented the strength of its security protections.

The suit stems from a 2012 security breach that let hackers post 6.5 million passwords online. Three days after the hack was discovered, LinkedIn said in a statement it had switched its password encryption method to a more advanced one.

Plaintiff Khalilah Gilmore-Wright, whose initial complaint against LinkedIn was dismissed because it failed to show she suffered economic harm, argued in her second amended complaint that she relied on the company’s user agreement and privacy policy—which states that “[a]ll information that you provide will be protected with industry standard protocols and technology”—to pay for a premium LinkedIn subscription.

In fact, the complaint alleged, the company’s security at the time of the breach was substantially below the industry standard. LinkedIn denies any wrongdoing or liability.

According to the proposed agreement, the $1.25 million settlement fund will be used to pay about $400,000 in attorneys’ fees and expenses, along with no more than $180,000 in settlement administration costs. Much of the rest will be available, at $50 per claim, for those with premium LinkedIn subscriptions at the time of the hack, the settlement documents show.

LinkedIn also agreed to employ stronger security protections for passwords for five years, and the company said it would use salting and hashing—cryptographic algorithms and random strings—to make passwords far more difficult to crack.